A new cybersecurity market segment has emerged in the past few years that combines “active defense” technologies with the traditional concept of honeypots or honeynets. Dubbed deception technologies, these tools can be configured to intercept attacks in progress and lure the attacker to systems and applications running expressly to keep them occupied while defenders either observe their behavior and learn what they’re up to, work to block or respond to their actions, or both.

A key advantage of using deception technologies is that there is likely very little chance of false positives — anyone accessing any deception systems or assets are either actively engaged in attack behavior or violating policy intentionally or accidentally.

How deception technologies works

Deception tools often mimic real-world systems and assets that attract attackers. To better mimic reality, tools in this category should include: multiple types of operating system decoys; decoy credentials (honeytokens) that can actually be used within the deception environment; decoy documents and information that would attract an attacker (fake sensitive data) and flexible deployments that can include typical in-house networks with both servers and end-user computing; cloud environments; and specialized IT infrastructure, like industrial control platforms or payment card processing environments.

There are numerous types of activities that deception technologies can detect, including:

Early stage reconnaissance of users and systems

System or application exploitation

Credential theft and abuse

Lateral movement from one system to others

Attacks against user directories and identity stores

Passive attacks like man-in-the-middle and sniffing

Sensitive data access and exfiltration

The uses of deception technologies

There are numerous use cases and ways that deception technology aids and improves threat hunting and incident response activities.

A key advantage of using deception technologies is that there is likely very little chance of false positives.

First, threat hunting activities can be immediately initiated when one of the deception tripwires goes off. This helps to reduce wild goose chases and false positives that often occur with many other detection techniques, and it also often leads to minimized dwell time and faster detection-to-response metrics for the security team as a whole.

With deception tools, defenders can immediately focus on the asset that’s been accessed (file, system, credentials and so on) and then immediately look at:

What account or system accessed the decoy;

What other systems the account or system has been communicating with prior to this; and

Methods of access and patterns of behavior that could become indicators of compromise or tactics, techniques and procedures used in additional threat hunting activities.

Second, deception tools can be used to dynamically shift the landscape of what an attacker sees, providing more complexity and a continuous challenge that keeps them occupied. When a deception tripwire is triggered and defenders assess the situation unfolding, they can choose to deploy new decoy systems and credentials in whatever way they like, which grants them additional time to respond or simply observe how new techniques unfold.

Third, some deception tools include implanted cookies and geolocation trackable information that might give away an attacker’s location if they download or exfiltrate files.

Finally, deception tools can be used in red team-blue team exercises to build and enhance defensive controls and fine-tune incident-response processes based on attack models seen in the environment. Some deception products also have extensible APIs that can integrate with other monitoring and response tools, helping to automate and improve all aspects of the detection and response cycle.